Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Decentralized Autonomous Organizations (DAOs) are on-chain entities that can manage decisions and capital like companies do. The upside is that the formation of a DAO is much easier than a regular company. The article has many exploit types but I enjoyed the softer vulnerability on it personally versus the classic reentrancy and flash loan issues. So, that's what I'm going to post.

Proposal execution is typically decentralized. Since this was the case after a Sonne Finance governance approval, the execution to add markets should have been fine. The order of operations really mattered. By doing things out of order, $20 was stolen from the market. To resolve this, ensure that multi-step proposals happen in the specific order TOGETHER.

The next thing to consider are the proposals themselves. Since it's decentralized, anyone can make a proposal. Ensuring that these aren't approved for funky business is crucial for not getting completely pwned. Tornado Cash had a proposal for C503893 and one that claimed to be the same with a slight upgrade to it to destroy the old contract. In reality, the proposal deployed a different contract at the same location as the original proposal to add a backdoor to the system.

Eventually, this led to $1M being stolen from the protocol then mixed through Tornado Cash itself (lolz). To prevent these issues from happening, a few things can be done:

• Analyse all submitted proposals. Given that not everyone has the technical capability to review code, this is challenging though.
• Proposal template should prevent use of the CREATE/CREATE codes to do some craziness in the replacing of the code.
• DAO's are good until they're not. In this case, similar to voting in the USA, not everyone is properly informed. So, having a forum with official communication on what something is can be a major positive influence on how the voting works.

Insider Threats sound like science fiction but they are real. Threat actors like join companies in order to get the secrets and steal funds. Additionally, a rogue engineer can even steal the funds sometimes. To prevent these attacks from happening, carefully vet who you hire and ensure there are no single points of failure.

Another problem is decentralization is doing stuff quickly or at all. In the case of Swerve Finance the team was completely anonymous. Additionally, they entrusted their multi-sig to big players like SBF. Eventually, when governance operations were needed, there was no one there to be found. Anon's can disappear in a moment. To resolve this, ensure people have reputations on the line and do not have ulterior motives.

Timelocks are used to execute code after a specific time after the proposal; this gives users time to leave the system if something happens or perform an emergency stop if it's deemed to be malicious after approval. Compound, a defi loan system, had proposed a code change that had a serious bug in it that allowed COMP rewards to be claimed, which shouldn't be possible. Since there was a timelock on the governance actions, the code couldn't be fixed fast enough.

The pro of DAOs is that you can be anonymous and methodical. At the same time, these can be cons. Developing the DAO in such a way that A) people are held responsible for their actions and B) swift action can be taken in times of need is essential. Good write-up discussing some of the edge cases of DAOs!